How to remove the credential for legacy Threat Detection feature from Azure SQL Database

This post has been republished via RSS; it originally appeared at: New blog articles in Microsoft Community Hub.

(Written on May 30th, 2024)

If you come across a credential named something like 'https://xxyyzz.blob.core.windows.net/sqldbtdlogs' in the sys.database_scoped_credentials table of your Azure SQL Database and are unsure of its purpose. it is likely related to the Threat Detection feature. This feature monitored and detected threats to your Azure SQL Database, generating reports stored in the sqldbtdlogs container in the storage account xxyyzz.

You can further verify this by checking the container for a folder named like 'SqlDbThreatDetection_Audit_xxxxx':

Previously, this credential was automatically added to the sys.database_scoped_credentials table when Threat Detection was enabled and removed when it was disabled. However, Threat Detection has been deprecated and replaced by Microsoft Defender for Azure SQL, which offers more extensive and holistic monitoring and threat detection capabilities.

If you find this credential still present in your Azure SQL Database, it might have been missed during the transition from Threat Detection to Microsoft Defender for Azure SQL. If you confirm it is no longer in use and want to remove it, note that you cannot simply use the DROP DATABASE SCOPED CREDENTIAL command, as it will result in an error:

This design likely prevents the unintended removal of the credential, which would cause Threat Detection to fail. The credential should automatically be dropped once Threat Detection is disabled.

Since Threat Detection can no longer be enabled or disabled through the Azure Portal due to its deprecation, you can use the following command to disable it: az sql db threat-policy.

Here’s a demonstration:

1. Confirm the Credential Exists: